The Internet is slowly beginning to adopt the new DNSSEC domain names standard, but significant challenges remain. That was the main takeaway from a four-hour workshop on the technology held during the recent ICANN 41 public meeting in Singapore, which heard from many domain registries, registrars and other infrastructure providers.

July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment -- encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.

About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars -- seven or eight of them in the top ten by registration volume -- have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That's a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant –- obviously a thought-leader -– has signed 500 of his own domains.

But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.

This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008's Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC's strongest proponent would wish for that scenario.

In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN's new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants -- like potential high-security authenticated zones, such as .secure or .pay -- to enforce the protocol at the second level, too.

You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it's that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that's a good thing.

I recently wrote about the encouraging level of DNSSEC adoption among top-level domain name registries, and noted that adoption at the second level and in applications is an important next step for adding more security to the DNS. The root and approximately 20 percent of the top level domains are now signed; it is time for registrars and recursive DNS servers operated by the ISPs to occupy center stage. I'm happy to report that a workshop on the deployment of the DNSSEC protocol at the recent ICANN 40 meeting in San Francisco provided an excellent opportunity for many vital stakeholders to share their views and deployment stories.

DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.

ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop’s location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."

During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.

Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.

Right now, DNS service providers are doing their parts. A collection of services from various vendors, including Afilias' own One Click DNSSEC, have recently launched to make it easier for companies to secure their zones without getting into the complex technical guts of key generation, management and rollover.

The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our “Project Safeguard.” Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

Afilias' Greg Aaron will be presenting the latest findings highlighted in the APWG Global Phishing Report on Abuse of TLDs at this year's Counter-eCrime Operations Summit on Wednesday April 27th, 2011.

• ‹ previous
• 94 of 105
• next ›

Collaboration brings together registry services with legal & business consultation services for domain names

SAN FRANCISCO – Feb. 10, 2011 – Afilias Limited, a global provider of Internet domain name registry and Domain Name System (DNS) services, today announced that it has entered into a Memorandum of Understanding (MoU) with Crowell & Moring LLP. Under this MoU, Afilias and Crowell & Moring will extend their current working relationship into supporting new top-level domains (TLDs).

“Afilias offers prospective new TLD applicants complete registry and DNS services that reflect our experience supporting the launches of five new TLDs -- more than any other provider. We are glad to be working with Crowell & Moring, who offers legal and business consultation services that complement our technical expertise,” said Roland LaPlante, Senior Vice President and Chief Marketing Officer for Afilias.

Flip Petillion, partner of Crowell & Moring and co-head of its TLD and Domain Name practice, said, “We have a unique and extensive background in assisting companies with the complex administrative, operational, and legal issues of applying for, establishing, and managing a top-level domain registry. Parties who are interested in acquiring one or more proprietary top-level domains are looking for end-to-end guidance. We are pleased that we can rely on our relationship with Afilias -- one of the key technical players in this market -- for their hands-on technical experience and expertise.”

ICANN is expected to finalize the Applicant Guidebook and application process for new TLDs soon, resulting in the acceptance of new TLD applications in 2011. Under terms of this MoU, Afilias and Crowell & Moring will jointly market their services to prospective new TLD applicants, enabling them to easily develop stronger, more compelling proposals to ICANN for their desired new TLD string.

Afilias’ Global Registry and DNS services power more than 18 million registrations across 15 TLDs, including five TLDs operating under ICANN contracts. Afilias’ suite of new TLD services features a “thick” EPP registry, a globally diverse and redundant Anycast DNS network,immediate global distribution channel access, 24x7 call-center and technical support, as well as sales and bid consultation.

In addition, Afilias offers other premium solutions to augment its registry offering, including technology to enable mobile phone compatibility for websites and a unique IDN-capable email solution. All Afilias services are DNSSEC and IPv6 ready, and reflect nearly 10 years of experience in supporting gTLDs operating under ICANN contracts.

About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias, visit www.afilias.info.

About Crowell & Moring LLP
Crowell & Moring LLP is an international law firm with nearly 500 lawyers representing clients in litigation and arbitration, regulatory,and transactional matters. The firm is recognized for its experience in domain names and its work for clients to address the legal, contractual,operational, and administrative aspects of establishing, launching, and managing new top-level domain registries. Crowell & Moring’s extensive experience also includes work in domain and domain name litigation and arbitration. The firm has offices in Washington, DC, New York, LosAngeles, San Francisco, Orange County, Anchorage, London and Brussels. Visit Crowell & Moring online at www.crowell.com.

DNSSEC is being rolled out quickly in top-level domain registries around the world, but there's still some way to go to encourage other Internet stakeholders to adopt the new security technology. That was one of the key takeaways from a day-long, comprehensive session on Domain Name System Security Extensions implementation worldwide, held during ICANN's public meeting in Cartagena, Colombia, last week.

More than 50 registries have now signed their TLD zones using DNSSEC. Notably, VeriSign last week announced that it has enabled DNSSEC in the .net TLD, and that .com signing is scheduled for early 2011, two moves which will significantly increase adoption at the TLD registry level. These efforts complement others such as Afilias' own ongoing Project Safeguard, which is committed to implementing DNSSEC across TLDs for which we currently provide registry services. During the ICANN workshop, Steve Crocker, co-chair of the DNSSEC Deployment Initiative presented data showing the growth of fully operation DNSSEC TLDs over the last 12 months.

But it takes more than just TLD registries to deploy DNSSEC for the full benefits of a more secure DNS to be felt by all Internet users. Domain registrars, software and hardware developers, ISPs and end users all need to do their part to support the technology. The main challenges for DNSSEC adoption in the coming year lie beyond the registry level.

DNSSEC is a complex technology so, when communicating its value, it is important to keep the message simple. Users of anti-virus software do not need to know how malware works in order to understand the need for good security; the same should be true for the DNS. A common view among ICANN delegates was that Web browser developers will need to visibly support DNSSEC in their interfaces – through, for example, an TLS/SSL-style "green bar" – before there is widespread understanding of the value it brings.

The registrar community is largely still exploring its go-to-market options for DNSSEC, but some have already started to back up verbal support commitments with tangible new services. GoDaddy, for example, said in Cartagena that it will offer managed signing as part of a Premium DNS package that will include unrelated value-added services. Panelists agreed that most domain name customers are unaware of the security benefits that DNSSEC offers, but that corporate customers are more aware of the problems inherent in not using DNSSEC than others.

While DNSSEC outreach is necessarily a cross-community effort, some TLD registries have already started DNSSEC awareness-raising efforts. The Public Interest Registry, which signed .org with Afilias' support earlier this year, has launched a "Practice Safe DNS" campaign aimed at everybody from hardware manufacturers and web developers to domain registrants themselves.

In the coming months, DNSSEC will go from being supported by a relatively small numbers of TLDs to one which is available to the large majority of registrants worldwide. The challenge now, agreed panelists at the ICANN DNSSEC workshop last week, is to ensure that the consumer benefits of a more secure DNS are effectively communicated to technology enablers and early adopters.

Afilias is a sponsor of the dot NXT conference on new gTLDs. Afilias' Roland LaPlante will be a panel member discussing one of the most important and complex tasks of operating an Internet extension: the back-end technical operation.

The Greater Washington, D.C. Chapter of the Internet Society will hold a panel of experts discussion on: “Internet Governance – the next 5 years”

When: Wednesday, December 1, 2010 – 6:30p.m. to 8:30p.m.

Where: The Car Barn, 3520 Prospect Street, Georgetown – Room 204

Open to all. No fee.

The recently concluded Internet Governance Forum and ITU Plenipotentiary meetings highlighted that the future of Internet Governance, the IGF and the role of stakeholders is critical to the continued growth and reach of the Internet. Experts who attended the IGF and ITU Plenipotentiary will share their views of the future Internet and what you can do to help shape it.

The panel will be:

Ambassador Phil Verveer – United States Department of State

Fiona Alexander – United States Department of Commerce

Keith Drazek – VeriSign

Veni Markovski – ICANN

Marilyn Cade – ICT Strategies

Liesyl Franz – Tech America

John Curran – ARIN

Brian Cute – Afilias, Moderator

Brings added security to three more countries around the world

DUBLIN, IRELAND - 18 November 2010 - Afilias, a global provider of Internet infrastructure services, today announced that it has enabled Domain Name System Security Extensions (DNSSEC) for .GI, the country code Top Level Domain (ccTLD) for Gibraltar, .MN for Mongolia, and .SC for the Seychelles.

"This is another step forward in Afilias' Project Safeguard rollout that is broadening DNSSEC deployment across our registry system," said Ram Mohan, Executive Vice President and Chief Technology Officer for Afilias. "With more than 50 TLDs having now deployed DNSSEC, we are pleased to enable our customers to benefit from our global leadership on DNSSEC and our supporting registry technology."

"Gibraltar is pleased to be able to provide our country of Internet users and domain owners with the confidence of their domain security" said Jimmy Immosi, .GI Manager.  "Deploying DNSSEC, along with our registry provider Afilias, will allow our domain to participate equally with world leaders on this important Internet security milestone."

DNSSEC protects the DNS from cache poisoning exploits which can allow malicious entities to intercept an Internet users' request to access a website, and redirect or eavesdrop on the user without their knowledge, and with no ability to reassert control. DNSSEC introduces digital signatures to the DNS infrastructure and ensures that DNS responses came from their authoritative source.

"Being an early adopter of the latest security technology is a significant opportunity for our country," said Baasansuren Burmaa, Director, MN Domain Registry.  "We are excited to be able to provide this benefit to Internet users from Mongolia and others around the world who have adopted a .MN Web address."

Mr. Marc Houareau, Executive Chairman of VCS Pty Ltd, the managers of .SC TLD added, ".SC domains are used not just in the Seychelles, but around the globe as a meaningful and short Web address.  Signing the .SC domain with DNSSEC allows us to play a key leadership role in evolution of the Internet."

Afilias' signing of these TLDs is part of its "Project Safeguard" initiative, bringing the number of secured TLDs on its registry platform to eleven.  Afilias' Project Safeguard includes the rollout of DNSSEC across its registry and DNS platforms and will incorporate an education and training program for Registrars to facilitate their adoption and implementation through 2011.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias' reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

.ASIA top-level domain is one of the pioneer domain registries in Asia to enable the secure DNS standard

Beijing, 11 November 2010 – This week, at the 79th Internet Engineering Task Force (IETF) meeting in Beijing, China, Afilias and DotAsia jointly announced that Domain Name System Security Extensions (DNSSEC) has been enabled for the .ASIA top-level domain. The signing of the .ASIA domain enhances global security and reinforces .ASIA’s commitment to become the Internet identity for businesses from Asia as well as those expanding to Asia.

“The .ASIA domain is now alongside other industry leaders such as the .GOV TLD in being some of the first TLDs to enable DNSSEC,” said Dr. James Galvin, Director of Strategic Partnerships and Technical Standards for Afilias. “Afilias is pleased to be able to provide our DNSSEC expertise and technology to our customers, especially .ASIA, which has proved a useful and meaningful domain across the Asian region.”

Speaking at the launch ceremony in Beijing, Edmon Chung, CEO of the DotAsia Organisation, was delighted that the deployment of DNSSEC is now a reality for .ASIA. “DotAsia has always put security and stability of the Internet as a top priority for our community. The implementation of DNSSEC furthers our commitment to foster a safe and secure environment for ecommerce to prosper in Asia. The .ASIA domain enhances Search Engine Optimization (SEO) for users coming from Asia as well as those looking for information in Asia from around the world. With DNSSEC, the identity of domains can be further secured to protect businesses and Internet users transacting on .ASIA domains.”

DNSSEC introduces digital signatures to the DNS infrastructure and automatically ensures that users are not hijacked and taken to an unintended destination. Afilias and DotAsia recommend that domain registrars and resellers in Asia plan DNSSEC deployment in their 2011 development schedule. Both companies aim to help proliferate the standard within the Internet community in Asia.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias' reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit http://www.afilias.info/.

About DotAsia Organisation

DotAsia Organisation is a regional not-for-profit organization with a mission to promote Internet development and adoption around Asia. DotAsia oversees the ".Asia" top-level Internet domain name, and is formed as an open membership consortium of official domain authorities around the region, including .CN (China), .JP (Japan), .KR (Korea), .IN (India), .NZ (New Zealand), .PH (Philippines), etc., and regional Internet organizations including APNIC, APNG, APCERT, PAN and APTLD. DotAsia has a core mandate towards digital inclusion, education and research and development. For more information on DotAsia please visit http://www.registry.asia/.

Attachment	Date	Size
Overview and History of DNSSEC - IETF Beijing/ .ASIA DNSSEC signing Afilias' Dr. James Galvin provides an overview and history of DNSSEC at the .ASIA DNSSEC press event in Beijing China Nov 11, 2010.	11/11/10 7:03 pm	30.87 KB
History and Value of DNSSEC presentation Afilias' Dr. James Galvin provides a history and overview of DNSSEC at the .ASIA DNSSEC signing press conference at the IETF meeting in Beijing China Nov 11, 2010. (See separate document for verbal remarks)	11/11/10 6:41 pm	702.3 KB